The COVID-19 pandemic has been wreaking havoc, leaving organisations with no choice but to be agile and adapt to the changing business and health environment. According to professional service firm Deloitte, the insurance industry has not escaped its impact and the insurers have responded to the crisis quickly.
During a fireside chat at the recent Cloud Frontiers Conference 2021, Sourabh Chitrachar, Regional VP (Asia), IT Transformation and Strategy, at Liberty Mutual, talked about the pandemic’s impact on the insurance sector, migrating to the cloud, his organisation’s business continuity, and more. Sourabh joined Liberty Insurance in 2019 after spending over a decade at financial services company Allianz and its IT service subsidiary.
How has COVID impacted your particular industry – insurance?
It has had a tremendous impact on how we have been working. It has evolved from an internal standpoint, as well as an external perspective.
The way we work with our intermediaries, customers, and employees – it has an external and internal impact, and some of it has been really transformational because we learnt and adapted. In the past, we thought: “We can’t do business without meeting our customers and meeting our intermediaries like OEMs and brokers when selling insurance policies.” But COVID proved us wrong. Now, we have to do it online, as that’s the new normal, and if you don’t do it, chances are you will not be in business anymore.
Our strategy is as follows:
First, for our employees. Now that there’s more demand for working from anywhere, we need to strengthen internal systems – whether it’s our internal capacity or security – to prevent threats like cyberattacks. That’s super important because when employees are working from home or anywhere outside the office, there is a huge potential impact on security. We also needed to change some of our policies on working from home, making your work flexible, and making it more adaptable and supportive for employees.
Customer experience has always been important within the insurance industry, however. l feel that the view of the customer experience is becoming increasingly important. We would look primarily from an “inside-out” view (in terms of security policy), however, I see that an “outside-in” perspective has started taking precedence over inside-out, as we now talk more about customer journeys and ecosystems.
This is really transformational in our industry and there is a lot of change happening as regards enhancing the digital experience for customers, and the way we have touchpoints – whether its point of sales with the experience of buying a policy, the whole journey of claims, or retaining our customers. Moving forward, this is one of the things that will continue.
Since the journey has started, it will not return to a previous normal; this is the new normal and this is what will continue. We will evolve and adapt as we go forward in this journey. In fact, the operating models will become more digital and robust.
Insurance is a conservative industry, because we have to deal with a lot of customer data and regulations. The balance between what is going to help our customers and not compromising on the security and data breaches is what is going to play a vital role as we go forward.
Was the cloud a part of your plan even before? How is the cloud and pandemic equation working out?
The cloud had always been an integral part of our journey. Even before the pandemic, as a part of our strategy, we had plans to migrate all our markets into the cloud. In Asia, barring two markets where we have regulatory constraints in moving customer data to the cloud, all our markets are already on AWS cloud, which is a big achievement as that involved a whole mindset change around privacy, security, and customers’ data, plus convincing the businesses about the benefits of the cloud.
It was not an easy path, but even before the pandemic hit, we were already on the cloud in most of our markets. In some of the markets we were halfway through, but that accelerated due to the pandemic.
Is your IT centrally organised from your headquarters, or do all the regions have separate IT teams? Are they free to make decisions about the cloud regionally?
Our cloud strategy is a global strategy. As an organisation, we saw that infrastructure standardisation is an approach that we need to roll out across the globe, because every market or every country was on different levels of maturity. One of the things we noted when we embarked on that journey was that the maturity levels were different and we could not use a one-size-fits-all strategy.
We started evolving and adapting our strategy to the needs of the market, but overall strategy and execution of the infrastructure standardisation came from our headquarters, supported by the regional and local teams. We did make tweaks regionally based on the needs of the market, but there’s no denying that the strategy overall was driven globally.
In the post-COVID business environment, the new normal, how do you see your business evolve and do you see the cloud meeting the needs of your business going forward? What are your plans for the cloud post-pandemic?
Cloud, like I said, is the foundation of our digital strategy. When we talk of digital, the core elements are agility and customer-centricity, in order to be able to drive or build solutions.
When we look at our employees as a target audience, we want to ensure that the solutions provided are agile. Without moving to the cloud, this would be impossible. The moment we talk about security, there are two elements: security in the cloud, and outside it.
We are not particularly worried about the security in the cloud as most cloud providers have high security standards, and we have rarely observed breaches within cloud providers. However, there is a little element of worry because everything is evolving. But at the end of the day, all the customer data is part of our accountability as an organisation. I might use vendor X/Y or a cloud provider X versus Y, but then if anything goes wrong, the accountability still lies with us as an organisation.
Keeping that in mind, the benefits which cloud offers in terms of agility, flexibility, being able to create instances, and ramping up and down on-demand, are super important. From a security standpoint, the integration of DevSecOps is also a critical element because earlier, security used to be viewed in hindsight, like a checkbox as you go through the development stage – and you need to include security at some stage. However, that is now coming to the forefront because of external factors like tightening regulations and internal awareness regarding the impact of security on the organisational reputation, which becomes even more important due to the migration to the cloud.
Looking at the DevOps pipeline, DevSecOps brings security to the forefront, and cloud plays a role. Without migration to the cloud, a lot of things in our digital strategy might not have been possible. When you are looking at changing our monolithic architecture to microservice-based or digital touchpoints for customers, or digital experiences for our employees, it should be as seamless as when they are working from home using their private tools like WhatsApp. The moment you look at those components (e.g. MS Teams, Skype for Business, Webex), they are all cloud-based and there’s no denying that if we don’t do it, we will lack a competitive advantage.
This is not just an IT view; business is also aligned to this view because we see this is a common end-goal of a digitally enabled, high performing business consisting of people and processes powered by technology, hence the need for a collaborative approach, bringing the business teams on the journey with IT.
So far, there hasn’t been any massive breaches in the hyperscaler providers, so generally, the main worry for a lot of people is the data in transition. What’s your encryption policy like?
I don’t have a definitive answer to that because we are on a journey to be fully secure and fully digitally encrypted. But if I had to look at a maturity level, between zero and five – zero being non-existent and five being up in the game, and everything is great.
That’s a dynamic scale as the 5 changes. We might become more secure, but the elements outside which are impacting security could advance, so we need to adapt and change.
On a scale of that 0 to 5, we are somewhat about 2 to 3, and we are on that journey. We are looking a lot at perimeter security and bringing DevSecOps to the forefront, rather than security as an afterthought, then encrypting data wherever we can.
Are we 100% there? Like I said, no. Are we going to get there? That’s the need and obviously, we have to, but that’ll be like a journey which we will have to embark on.
One of the hallmarks of the pandemic is that people have rushed to the cloud without having complete control or understanding of what they are doing. What advice would you give other enterprises, whether insurance or across verticals?
You need to look at your business needs, your priorities, and the end-goal you want to achieve as an organisation while moving to the cloud. That retrospection is far more important than actually going with the flock.
You need to define what you are trying to achieve. For us, since we are building the whole digital ecosystem, the idea was to look at how cloud forms the backbone of our system.
In those scenarios, it becomes important that we have flexibility, modularity, and on-demand systems. That’s where we decided that yes, we have to move from on-premises to cloud. Secondly, our motivation was also the security aspect. How secure are we, and how much effort do we want to put in security within the organisation? Do we want to build an army of security personnel being an insurance company? Probably not, but we still need to have a threshold of an optimum number of security personnel who can support the business and prevent breaches.
Thirdly, your internal retrospection on the business case itself. If you believe that moving to the cloud will lower your costs, that’s not always the case. Maybe you are still evolving or learning. Maybe you don’t know how to utilise or optimise your resources on the cloud, but gradually you will get there with enough awareness, training and business needs.
If we go with the mindset: “Hey, my current OPEX is X million dollars and I’ll move to the cloud. Within two years, it will become 0.5X,” I don’t think that’s going to work. That’s a journey, with the most important benefit being agility and flexibility. That’s where the USP of cloud lies, in my view.